Difference between revisions of "OPS235 Assignment 2 Tips"
(→Turning SELinux On/Off on CentOS 7) |
|||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
+ | {{Admon/caution|THIS IS AN OLD VERSION OF THE ASSIGNMENT|'''This is an archived version. Do not use this in your OPS235 course.'''}} | ||
[[category:OPS235]][[Category:rchan]] | [[category:OPS235]][[Category:rchan]] | ||
= Turning Firewall On/Off on CentOS 7 = | = Turning Firewall On/Off on CentOS 7 = | ||
Line 102: | Line 103: | ||
httpd_verify_dns --> off | httpd_verify_dns --> off | ||
</pre> | </pre> | ||
+ | = How to turn on/off a SELinux run-time parameter= | ||
+ | == To turn on a run-time parameter == | ||
+ | For Current session | ||
+ | * setsebool httpd_can_network_connect_db on | ||
+ | For good (even after a reboot) | ||
+ | * setsebool -P httpd_can_network_connect_db on | ||
+ | == To turn off a run-time parameter == | ||
+ | For the current session | ||
+ | * setsebool httpd_can_network_connect_db off | ||
+ | For good (even after a reboot) | ||
+ | * setsebool -P httpd_can_network_connect_db off |
Latest revision as of 12:02, 27 November 2019
Contents
Turning Firewall On/Off on CentOS 7
To turn it off
- /usr/sbin/iptables -F
- /usr/sbin/iptables -P INPUT ACCEPT
- /usr/sbin/iptables -P OUTPUT ACCEPT
To turn it on
- systemctl restart firewalld.service
Turning SELinux On/Off on CentOS 7
To turn off SELinux temporary into permissive mode
- setenforce 0
To turn SELinx back on from permissive mode
- setenforce 1
To check the current status of SELinux
- sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
- setenforce 0
- sestatus
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Listing the RUN-TIME configurable parameter for SELinux
- getsebool -a
abrt_anon_write --> off abrt_handle_event --> off abrt_upload_watch_anon_write --> on antivirus_can_scan_system --> off antivirus_use_jit --> off auditadm_exec_content --> on authlogin_nsswitch_use_ldap --> off authlogin_radius --> off authlogin_yubikey --> off awstats_purge_apache_log_files --> off boinc_execmem --> on ...
List of SELinux run-time configurable parameter that control Apache server (httpd)
- getsebool -a | grep httpd
httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> off httpd_run_preupgrade --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off
How to turn on/off a SELinux run-time parameter
To turn on a run-time parameter
For Current session
- setsebool httpd_can_network_connect_db on
For good (even after a reboot)
- setsebool -P httpd_can_network_connect_db on
To turn off a run-time parameter
For the current session
- setsebool httpd_can_network_connect_db off
For good (even after a reboot)
- setsebool -P httpd_can_network_connect_db off